Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
* Saqib Ali: Can somebody explain me how this so-called Homomorphic split-key encryption works? Isn't this just a protocal which performs a cryptographic primitive using split key material, without actually recombining the keys? (Traditional Shamir secret sharing needs a trust party for key recombination.) If yes, you might want to look for RSA Threshold Cryptography and similar work. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
On Sun, Feb 19, 2012 at 10:08 AM, Florian Weimer f...@deneb.enyo.de wrote: * Saqib Ali: Can somebody explain me how this so-called Homomorphic split-key encryption works? Isn't this just a protocal which performs a cryptographic primitive using split key material, without actually recombining the keys? (Traditional Shamir secret sharing needs a trust party for key recombination.) The key part is the homomorphism. ISTR this from a few years ago, and I see wikipedia has an OK article on the subject: http://en.wikipedia.org/wiki/Homomorphic_encryption#Fully_homomorphic_encryption The idea is that you could even write an entire program this way, which allows you to run it on untrusted systems without leaking the program or data to those systems. It seems unlikely to get deployed anytime soon. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
I don't see why you'd want split keys when it's already homomorphic. What would be the additional gain of that? Unless they need half the key to do the homomorphic computations. Also, homomorphic encryption and computation is usually slow. VERY slow. On Sun, Feb 19, 2012 at 17:22, Nico Williams n...@cryptonector.com wrote: On Sun, Feb 19, 2012 at 10:08 AM, Florian Weimer f...@deneb.enyo.de wrote: * Saqib Ali: Can somebody explain me how this so-called Homomorphic split-key encryption works? Isn't this just a protocal which performs a cryptographic primitive using split key material, without actually recombining the keys? (Traditional Shamir secret sharing needs a trust party for key recombination.) The key part is the homomorphism. ISTR this from a few years ago, and I see wikipedia has an OK article on the subject: http://en.wikipedia.org/wiki/Homomorphic_encryption#Fully_homomorphic_encryption The idea is that you could even write an entire program this way, which allows you to run it on untrusted systems without leaking the program or data to those systems. It seems unlikely to get deployed anytime soon. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
On Sun, 19 Feb 2012 17:08:25 +0100 Florian Weimer f...@deneb.enyo.de wrote: * Saqib Ali: Can somebody explain me how this so-called Homomorphic split-key encryption works? Isn't this just a protocal which performs a cryptographic primitive using split key material, without actually recombining the keys? (Traditional Shamir secret sharing needs a trust party for key recombination.) If yes, you might want to look for RSA Threshold Cryptography and similar work. What is the point of introducing homomorphic encryption here? When last I checked, we were still pretty far from practical FHE systems, and we have not really determined the appropriate security parameters for the systems we are aware of now. It is telling that the company in the link provides few details about their system, except so say that homomorphic encryption is something they plan to deploy in the future. Maybe they are talking about oblivious AES from garbled circuits, although I am not really sure what the advantage of such a thing might be. -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell signature.asc Description: PGP signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
Hi Florian, If the system involves split key / shared secrets (m of n), then it wouldn't be a homomorphic system. Would it? Saqib On Sun, Feb 19, 2012 at 8:08 AM, Florian Weimer f...@deneb.enyo.de wrote: * Saqib Ali: Can somebody explain me how this so-called Homomorphic split-key encryption works? Isn't this just a protocal which performs a cryptographic primitive using split key material, without actually recombining the keys? (Traditional Shamir secret sharing needs a trust party for key recombination.) If yes, you might want to look for RSA Threshold Cryptography and similar work. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
* Saqib Ali: If the system involves split key / shared secrets (m of n), then it wouldn't be a homomorphic system. Would it? I think the homomorphic part alludes to the fact that full reconstruction of the entire key is not needed to perform the cryptographic operation. In essence, I suspect it's a misnomer. We'd need a protocol description, not an interview, to be sure. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
Florian, That's what I suspected as well. Unfortunately, it appears that Porticor's homomorphic split-key system is a closed one, so we may never see the details. But I think they are using the word Homomorphic to mislead people. Saqib On Sun, Feb 19, 2012 at 9:58 AM, Florian Weimer f...@deneb.enyo.de wrote: * Saqib Ali: If the system involves split key / shared secrets (m of n), then it wouldn't be a homomorphic system. Would it? I think the homomorphic part alludes to the fact that full reconstruction of the entire key is not needed to perform the cryptographic operation. In essence, I suspect it's a misnomer. We'd need a protocol description, not an interview, to be sure. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
On 2012-02-20 2:08 AM, Florian Weimer wrote: Can somebody explain me how this so-called Homomorphic split-key encryption works? Homomorphic means you combine the keys without finding out the key that you are combining - Everyone gives you an encrypted copy of their key fragment, and when you are done, you have an encrypted copy of the combined key. Isn't this just a protocal which performs a cryptographic primitive using split key material, without actually recombining the keys? (Traditional Shamir secret sharing needs a trust party for key recombination.) If yes, you might want to look for RSA Threshold Cryptography and similar work. My understanding is that RSA Threshold always requires a trusted party, which makes it useless. If you have a party that is actually trusted, just let him count the votes or whatever. The cryptography does not do you any good. The only protocol that I am aware of that performs cryptographic operations on a split key with needing a trusted party, uses Gap Diffie Hellman groups. All known Gap Diffie Hellman Groups consist of an elliptic curve which supports a bilinear pairing from the curve to integers modulo some large prime. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
There are multiparty computation too, but that's a bit different since it's essentially an encrypted VM where everybody runs one part. It could do the same thing without a snigle trusted party, though. On Sun, Feb 19, 2012 at 22:34, James A. Donald jam...@echeque.com wrote: On 2012-02-20 2:08 AM, Florian Weimer wrote: Can somebody explain me how this so-called Homomorphic split-key encryption works? Homomorphic means you combine the keys without finding out the key that you are combining - Everyone gives you an encrypted copy of their key fragment, and when you are done, you have an encrypted copy of the combined key. Isn't this just a protocal which performs a cryptographic primitive using split key material, without actually recombining the keys? (Traditional Shamir secret sharing needs a trust party for key recombination.) If yes, you might want to look for RSA Threshold Cryptography and similar work. My understanding is that RSA Threshold always requires a trusted party, which makes it useless. If you have a party that is actually trusted, just let him count the votes or whatever. The cryptography does not do you any good. The only protocol that I am aware of that performs cryptographic operations on a split key with needing a trusted party, uses Gap Diffie Hellman groups. All known Gap Diffie Hellman Groups consist of an elliptic curve which supports a bilinear pairing from the curve to integers modulo some large prime. __**_ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/**mailman/listinfo/cryptographyhttp://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
On 2012-02-20 7:55 AM, Ali, Saqib wrote: Hi James, I am still not sure why you need homomorphism in this case. What is the benefit of using homomorphism to porticor's customer, for example? With RSA split keys, you need a trusted party to combine them - but if the trusted party is untrustworthy, you are hosed. Presumably, with homomorphic encryption, the trusted party would perform the operations, but not have access to the combined key. But I don't think this helps. It is a way of getting around the trusted party problem, but I don't think it does get around the trusted party problem. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
Hi James, Exactly. True Homomorphism (or a fully Homomorphic system) does not require the hosting party to have any knowledge of the key, but still facilitates computational functions on the data without the need for decrypting the data. Having homomorphism is a split key / shared secret (m of n principle) doesn't make any sense. Saqib On Sun, Feb 19, 2012 at 4:26 PM, James A. Donald jam...@echeque.com wrote: On 2012-02-20 7:55 AM, Ali, Saqib wrote: Hi James, I am still not sure why you need homomorphism in this case. What is the benefit of using homomorphism to porticor's customer, for example? With RSA split keys, you need a trusted party to combine them - but if the trusted party is untrustworthy, you are hosed. Presumably, with homomorphic encryption, the trusted party would perform the operations, but not have access to the combined key. But I don't think this helps. It is a way of getting around the trusted party problem, but I don't think it does get around the trusted party problem. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Homomorphic split-key encryption OR snake oil crypto
My guess is that since fully homomorphic systems will be very slow that one could use it to guard just a tiny secret. But what's the point? Who cares if you can protect the customer's keys, if you can't protect the customer's plaintext data? Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Homomorphic split-key encryption OR snake oil crypto
What crypto mumbo jumbo is this? From: http://www.porticor.com/2012/02/thewhir-q-and-a/ -- Lets’ define the challenge, first. Customers want to both have their cake and eat it: they want security and they want to enjoy the flexibility offered by modern clouds. Let’s demystify the terms “split key” and “homomorphic”. To understand “split key”, think about a bank safe that has two keys, one is held by the customer (call it the “master key”) and another is held by the banker. The advantage is that, if the master key is stolen, the banker will still protect your secrets; and yet the banker is unable to view the secrets in the safe since he does not have the master key. Bankers have been doing that for hundreds of years, only now we bring such an approach to the cloud with some cool technology. In business terms, this means that neither Porticor nor the cloud provider know the customer keys, leaving control in customer hands. “Homomorphic” capabilities will make this split-key approach even stronger. Homomorphic encryption allows keys themselves to be encrypted, and to be used and managed without ever having to decrypt them. This is attractive for cloud users – it guarantees their keys remain private in the cloud, unknown to cloud providers, security vendors and hackers. This patented approach is available for the first time as the Porticor Virtual Private Data system. -- Can somebody explain me how this so-called Homomorphic split-key encryption works? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography